- The North Carolina Department of Health & Human Services had a “programming error” which sent out 48,000 Medicaid cards for children to the wrong addresses, all containing highly sensitive data.
- Coca-Cola improperly disposed of unencrypted laptops that resulted in the theft of personal information, such as names, social security numbers, and more.
- Yahoo had to take measures against a coordinated phishing attack that affected Yahoo email users.
- Variable Annuity Life Insurance Company had a breach of over 750,000 customers’ social security numbers, stolen with a simple flash drive.
- More than 5 high-profile universities had data breaches through websites or database servers, resulting in the compromise of hundreds of thousands of sensitive student and faculty records.
- A foreign espionage cyberattack, believed to have come from China, successfully infiltrated the US Veterans of Foreign Wars website. This attack resulted in the exposure of sensitive data on at least 55,000US veterans.
Just last month we informed our clients about the heartbleed bug, which you may recall, was a vulnerability in open source encryption,commonly used on the web to protect sensitive information. This vulnerability included the potential to reveal usernames and passwords and impacted thousands of servers and millions of people.
Adding to the vulnerabilities, in late May, eBay revealed they were the victims of a successful cyberattack, of which could potentially result in usernames and passwords being revealed. What makes this attack so alarming is that many of us use the same username and passwords across dozens of websites. If your eBay credentials were compromised, and you use the same password on your email, which is used for the password reset email for your bank account access… The dominos just keep falling!
How can this affect your small business?
As these high-profile attacks have all impacted large enterprises, it would be natural to think that as a small business/organization, you are safe. Unfortunately, that just isn’t true.
Each year, Verizon’s Enterprise team puts together a Data Breach Investigations Report(DBIR), with findings from thousands of data breaches. In the 2014 report, they highlight the increasing number of breaches across industries of all sizes. Here is one revealing excerpt from the DBIR:
“…everyone is vulnerable to some type of event. Even if you think your organization is at low risk for external attacks, there remains the possibility of insider misuse and errors that harm systems and expose data.”
(Quoted from Verizon DBIR 2014. Recommended reading for anyone interested in understanding the breadth and depth of today’s threat landscape.)
Mainstay is seeing this vulnerability first hand. We provide IT services to over 200 organizations, consisting of companies, municipalities, and nonprofits in your neighborhood. Each year, we see an increase in the evolution of threats, and an increase in evidence of cyberattacks against New England organizations. These evidential threats are directing the need for more sophisticated defenses. Your network, your employees, and your web services are being bombarded with known and unknown attacks every day.
What’s really at risk?
The consequences of a security breach typically include the outlay of money, increased stress, and a negative impact on business credibility. Here are just a few examples of how a security breach can put your organization at risk:
- Bank account compromise – once a hacker accesses your bank account, they will often wire money out of the country. What’s more, banks are not required to cover any losses that result from a cyberattack.
- Down time and loss of data – deleted data, servers disrupted, and website crashes all cause downtime, and result in unnecessary expenses.
- Confidential data leak – health records, social security numbers, and other sensitive data are vulnerable to an attack. The required cleanup and notification is very expensive to the compromised organization.
- Negative public relations (PR) – Many remember the compromise that Target suffered late last year. Shoppers continue to stay away, and as a result, both revenue and stock prices are down. Even on a small business scale, the PR from a breach can be devastating.
It is evident that the remediation costs that accrue after identifying and addressing a breech are far more costly than prevention. These risks are significant, and the threat is growing exponentially.
How does a small organization mitigate the risk?
Mainstay has invested numerous hours and resources to answer that question for our clients. Many companies in the industry will often paint the risk in misleading terms in an effort to promote their products. “Security breaches happen every day! So buy our antivirus program to protect yourself.” Unfortunately, no one product, no one training, no one system can fully protect an organization. In the same way that you can’t take one vitamin and receive perfect health, you can’t purchase one product and receive perfect security.
At Mainstay, we have developed a method for protecting our clients that we call the Holistic Security Model. This model identifies the risks for each organization, and puts a plan into action for intentional, routine processes that review the risks, discuss defensive measures, and implement wise countermeasures. In addition, our scalable model can service businesses that range from 10 – 500 people, without any loss of consistency.
Currently, there are 39 elements to the Holistic SecurityModel, including antivirus, logging, staff training, web server investigation, security audits, annual reviews, bank account protection measures, and more. Small organizations typically don’t have the resources to support the level of security that is needed, and this is why we focused on an innovative approach to security that is fully integrated into our service delivery model. Our security model is not a product for sale, but rather a system that is delivered through engaged meetings with an Account CIO for risk identification and training, routine System Administrator visits for audits and vulnerability remediation, monitoring for security threats, effective issue resolution and detection, and projects engineered to security standards.
As a Mainstay client, you’ll notice an increased focus on security across our team and interactions. Some of our initiatives include recommendations of all staff security training, policy improvement, and occasionally, key strategic investments for targeted risk protection.
How does an individual mitigate the risk?
Here a few key steps that anyone can use to play an important part in protecting yourself against today’s threats:
- Be aware of phishing emails: These are emails that appear legitimate but are really deceptive attacks trying to lure you to an infected website. Never click a link in an email that purports to be from a bank, PayPal, the IRS, etc. – especially if the email is trying to scare you!
- Be careful when sending emails: Send private data only via encrypted means – either with a password protected file, a 3rd party file sending service, or a special setup on your email server (check with your organization for policies and capabilities for sending encrypted email). And for any sensitive data, double check the “To” address and make sure the recipient address is correct (most of us have accidentally sent an email to the wrong recipient by relying on AutoFill).
- Practice safe browsing habits: Visit official websites only. Don’t view adult content, download freeware, or use your work computers for non-work activity.
- Be on your guard against social engineering: Hackers will often call on the phone and impersonate a legitimate business, then ask you to install software or provide them sensitive data.
- Follow your organization’s staff policies: Be aware of what’s prohibited and understand that it’s prohibited for your own protection!
- Use complex and unique passwords: Passwords need to be long, and with multiple different characters. For instance, redsox14 is not a good password and can be cracked easily. However, R3d$ox2014! is still easy to remember, but is MUCH more difficult to be hacked. Passwords need to be unique for each site so that if one of the websites gets hacked, your other accounts are still safe. (Tip: you can download software for storing passwords securely from companies such as KeePass www.keepass.info or LastPass www.lastpass.com)
- Password protect all devices: Your smartphone should have a password, and your laptop definitely needs a password. Additionally, your internet-enabled webcam and home router need passwords.
- Only store sensitive data on encrypted drives and devices: Over 500,000 laptops are stolen ever year, plus countless flash drives (stolen or lost!). You can purchase special flash drives that have built-in encryption. Laptops can be setup with encrypted drives which protect all data, even if the laptop is stolen (note that without a specially encrypted drive, data is typically vulnerable if the laptop is stolen or lost).
- Protect any device used for remote access: Make sure any computer that’s connecting to your work network has the latest Windows updates, a firewall, up-to-date antivirus, a password, and controlled access.
- Beware of public Wi-Fi and public computers: Not all wireless networks are safe! If the network doesn’t require a password, your data could be fully seen. Also, public computers cannot be trusted for any sensitive data.
- Be mindful of the type and location of data you post: Posting social media can often be seen by a foe, as well as friend! If you’re uploading data to a website, double check that it isn’t sensitive data that you’re posting publicly.
- Put extra protections around bank accounts: If you use your bank account to wire money, then ask your bank for a “security token” (a two factor authentication, where you have a username, a password, and a changing number from a physical device).
Above all, be aware of the risk, and be consistent! Remember that we all are targets, and should always stay on guard.
If you would like to learn more about effective responses to today’s security threats or have any questions, please contact us.